VBS/Redlof.a

王朝百科·作者佚名  2010-01-30  
宽屏版  字体: |||超大  

VBS/Redlof.a

病毒长度:变长

病毒类型:VBScript

危害等级:**

影响平台:Win3.x/9X/2000/XP/NT/Me

VBS/Redlof.a是一个多形态的并经过加密的VBScript,感染.html, .htm, .asp, .php, .jsp, .vbs类型的文件。它会复制自身为%System%\Kernel.dll或%System%\Kernel32.dll中的任意一个,此外还改变.dll文件关联默认值。

传播过程及特征:

1.复制自身为,下列之一:

%System%Kernel.dll

%System%Kernel32.dll

2.在所有驱动器上搜索.html, .htm, .asp, .php, .jsp, .vbs类型的文件并进行感染。

3.复制自身为:%Program Files%Common FilesMicrosoft SharedStationeryBlank.htm ,如果Blank.htm已存在便将自身附加到此文件。

4.修改注册表:

/首先核实一下HKEY_CLASSES_ROOT.dll下的键值是否为:

"default" = "dllfile"

"Content Type" = "application/x-msdownload"

/在注册表HKEY_CLASSES_ROOTdllFile下:

修改键值为:"DefaultIcon" = " %SystemRoot%System32shell32.dll,-154"

添加子键:"ScriptEngine" = "VBScript"

添加子键:"ScriptHostEncode" ="{85131631-480C-11D2-B1F9-00C04F86C324}"

/生成子键HKEY_CLASSES_ROOTdllFileShellOpenCommand且其值为下列之一:

"default" = "%windir%WScript.exe ""%1"" %*"

"default" = "%System32%WScript.exe ""%1"" %*"

/修改HKEY_CLASSES_ROOTdllFileShellExPropertySheetHandlersWSHProps下的键值:

"Default" = {60254CA5-953B-11CF-8C96-00AA00B8708C}

/HKEY_CURRENT_USERIdentities[Default Use ID]SoftwareMicrosoftOutlook Express[Outlook Version].0Mail下生成子键:

"Compose Use Stationery" = "1"

"Stationery Name" = "%Program Files%Common FilesMicrosoft SharedStationerylank.htm"

"Wide Stationery Name" = "%Program Files%Common FilesMicrosoft SharedStationerylank.htm"

/HKEY_CURRENT_USERSoftwareMicrosoftOffice9.0OutlookOptionsMail下添加:

"EditorPreference" = "131072"

/HKEY_CURRENT_USERSoftwareMicrosoftWindows Messaging SubsystemProfiles

Microsoft Outlook Internet Settings

0a0d020000000000c000000000000046下生成:"blank"

= "001e0360"/HKEY_CURRENT_USERSoftwareMicrosoft

Windows NTCurrentVersionWindows Messaging

SubsystemProfilesMicrosoft OutlookInternet

Settingsa0d020000000000c000000000000046下生

成:"blank" = "001e0360"

/HKEY_CURRENT_USERSoftwareMicrosoftOffice

10.0CommonMailSettings下生成:"blank" = "NewStationery"

/HKEY_CURRENT_USERSoftwareMicrosoftOffice10.0

OutlookOptionsMailEditorPreference下添加:

"EditorPreference" = "131072"

/HKEY_LOCAL_MACHINE

SOFTWAREMicrosoftWindowsCurrentVersionRun下添

加:

"Kernel32" = "%System%Kernel32.dll"或"Kernel32"

= "%System%Kernel.dll"

注:%Windir%为变量,一般为C:Windows 或 C:Winnt;

%System%为变量,一般为C:WindowsSystem (Windows 95/98/Me),

C:WinntSystem32 (Windows NT/2000), 或

C:WindowsSystem32 (Windows XP)。

 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
© 2005- 王朝百科 版权所有